Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc....

Adding the "defer" didn't prevent the error, but that's okay, because by adding that script it actually causes the application to crash anyway...

I did another test using xss that locked the application in an infinite loop posting the cookie value to another domain, then doing a history.back, then it reposts, then back, etc...also causing the application to crash...

hrm.. ya my logic was a bit flawed on that one.. because just appending the script tag (or anything) to the document was enough to cause the error while loading.. so the only surefire way is to either:

A) when it's for XSS, which injects html not javascript - use the defer tag.. i.e.

B) when it's for XSS which injects into javascript code.. add a function to the window.onload event to insert that remote script to the document. this has a drawback of not executing until the page fully loads - so if that's unacceptable, the only choice is to inject the entire exploit into the local javascript.

Or how about <IMG SRC="" onerror="alert('XSS')"> that would work too. ;) But if you are JUST talking about CSRF and not XSS the answer is no... you can't force the browser to go anywhere other than request a page. It won't "go" there as in render the content inside of the image tag, but it will send the browser there and act as a "click" regardless if the page you request is an image or not.